News & Insights  |  Alerts

Google-FTC Settlement Demonstrates the Privacy Risks of Generating Buzz

March 31, 2011

Google would face new restrictions on its business practices and must conduct independent privacy audits for the next 20 years under a proposed settlement with the Federal Trade Commission (FTC) regarding the Google Buzz social networking service. 

The proposed settlement illustrates the need to consider privacy issues carefully before launching a new product or service, and to implement the new offering in a manner consistent with past and current representations to users. 

Google launched Buzz in 2010 as its highly-publicized foray into the rapidly growing social networking market.  As part of the launch, Gmail users were greeted with a message announcing the service and providing the options "Sweet! Check out Buzz" and "Nah, go to my inbox."  The FTC alleged that users who chose the "Nah" or the "Turn Off Buzz"options were still enrolled in certain Google Buzz features.  Google also did not inform users who chose "Sweet!" that the service would reveal the identity of their most e-mailed contacts by default. 

Additionally, the FTC charged Google with violating its own privacy policy.  Google had represented that it would use information from consumers signing up for Gmail only to provide a web-based email service.  Nonetheless, Google used Gmail account information to populate its social networking service.  Finally, the FTC charged Google with violating its obligations under the U.S.-European Union Safe Harbor to provide notice and choice before using consumer data for a purpose other than for which it was collected. 

Under the settlement, announced on March 30, 2011, Google would be prohibited from making future misrepresentations about its privacy policies and about its compliance with the U.S.-E.U. Safe Harbor.  Each violation can result in a civil penalty of up to $16,000. 

Google would also establish a "comprehensive privacy program" to address privacy risks going forward, incorporating "privacy by design" concepts.  Google also would agree to obtain "opt-in" consent prior to any new or additional sharing of user information with a third party that (1) is a change from stated sharing practices and (2) results from a changed, additional, or enhanced product.  Finally, Google agreed to independent audits of its privacy and data collection practices every two years for the next 20 years.  Although the proposed settlement does not involve a fine, last September Google paid $8.5 million into a privacy education fund to settle a class action lawsuit over Google Buzz. 

The Google settlement should serve as a warning and reminder to broadcasters and other online publishers that before introducing any new service or product online that uses consumer information, you should ensure that it is consistent with your privacy policy and that any planned use of personal information does not violate any privacy laws or regulations.

*District of Columbia Bar (Pending, supervised by principals of the firm)